All right. Hi, everyone. I'm Josh Evor. I'm from iSecPartners.
And you are currently attending the BYOD peep show, mobile devices bear off. Today we are
going to be playing with the wireless here, specifically DEF CON secure. It is not my
fault that it's down right now. I really truly have nothing to do with that. But that actually
helps us. It makes it easier and it makes me not have to blast you with that thing.
So we'll let you know when that's actually going to happen. It's completely voluntary.
We've made it so that it will likely only affect you guys. But, of course, it's who
knows what everyone else is doing with the wireless. So just a heads up, again, we'll
make sure that you have full warning. I do encourage you to participate because I know
that the credentials that you use for the DEF CON secure Wi‑Fi are not the same as
your Gmail, at least I would hope. So I hope you don't mind if I do capture those. So keep
that in mind. And when the time comes, it would be really nice if you could turn your
phones on. I'll let you know. All right. So over the past five years or so, a perfect
storm has been brewing. This perfect storm has three components, much like the perfect
storm of 91 which you see the NOAA weather graph from. So these three components started
in 2008 with a single event at ShmooCon 2008 that we'll talk about. Then there is the growth
of BYOD and then a talk here last year at DEF CON that made everything really easy for
what we're trying to do. So let's take a look at those. In 2008 at ShmooCon, Joshua Wright
and Brad Antonowitz shared a talk.
It outlined how PEEP was very commonly misconfigured. And at this time, this only really worked with
desktop operating systems. BYOD wasn't a thing yet. The iPhone was less than a year old.
So this was not on anybody's radar that this would then eventually affect BYOD and mobile
devices. So this research actually included a tool called Free Radius WPE. And that's
been a standard for network penetration.
What Josh and Brad found was that by default, the PEEP configurations that were in use on
desktop operating systems did not do certificate validation. There are some other findings
within the research. I encourage you to look at it. But that's the thing that we're going
to leverage today. Because they didn't check the certificates, they had no way of knowing
whether or not the authentication server they were talking to was a legitimate one or a
rogue one. So the result from this research was that desktop
operating systems were changed. There were upgrades and patches. There were security
advisories that came out telling people how to actually configure things properly. And
this has largely gone the way of the dinosaur as far as an issue. We still run across it
once in a while. But typically it's largely mitigated at this time. At least in desktop
operating systems. One of the lessons that came out of that research,
at least at that time, was the notion that these ‑‑ a PEEP network can actually still be configured properly
and be secure. And that's something that we're going to revisit today in the light of the
other two parts of the storm. Then there's bring your own device. And I
do have to apologize for how many times I'm going to say that buzzword. But do know that
when I say bring your own device, I'm not just talking about BYOD as like in its true
definition, which is users actually bringing the devices that they own. This research and
the tools and techniques we're going to talk about also works against mobile deployments
within a corporation. So if your business buys you an Android device or an iPhone or
a Blackberry, these attacks can still work against you. It's not just the devices that
users bring that they personally own. So BYOD is huge. I don't think I need to talk
too much about that. What's been really amazing is how fast it's grown in the past five years.
So it's just ‑‑ yeah, it's absolutely crazy. It's grown so fast that metrics that
are reliable are really difficult to find.
So the best I can give you is that anywhere between 60 and 85% of companies support BYOD
in some shape or form. Whether or not that means, oh, hey, we give you an open Wi‑Fi
or we set up WPA2 enterprise with peep, it's hard to tell. And there are no real hard
numbers that we can give you. There's also the issue where we don't really
know what the definition of BYOD is when we're trying to collect metrics because that
definition changes between environments and based on who's actually collecting those metrics.
What we can tell you is that in BYOD deployments that support WPA2 enterprise, the vast majority
of those deployments use peep for the authentication protocol. And we'll go into a little bit more
detail as to why that is in a few minutes. But just know that by and large that is the
most common WPA2 enterprise authentication protocol, which is why it was the juiciest
target. And the third part of our storm and the most recent was Moxie's research last
year that was presented here at DEF CON, at DEF CON 20. And his associated product called
Cloud Cracker. So Cloud Cracker, for those of you who might not have heard about this
or weren't here last year, is a commercial service that's available now. And through
Moxie's research where he was able to reduce the strength of MSCHEP V2 challenge and responses,
he was actually able to work with some other guys to come up with some heavy‑duty computing
systems that are available. And he was able to work with some other guys to come up with
some heavy‑duty computing systems that are available online now that guarantee that
they can crack a MSCHEP V2 credential challenge and response in 24 hours or less for 100 bucks.
And so if you think about the companies that tend to use BYOD deployments, they tend to
have a lot of users. That would be a network that I'd really like to get on. So 100 bucks
is really not that much money when we're talking about a type of credential that will get me
on a network. While we're talking about that credential,
it's important to know that it's not just some random username and password that that
person is using just for logging on to the network. That's typically because of the way
that these deployments work, those are typically the AD creds, your domain creds, the same
creds that get you into the VPN, that get you into your e‑mail, and any other services
that are managed through Active Directory or the equivalent. So this is a credential
that we'd really like to have and that makes it much more likely that someone is going
to be willing to spend the 100 bucks in order to get that.
This is a credential that we'd really like to have and that makes it much more likely that someone is going to be willing to spend the 100 bucks in order to get that.
Also, don't forget that if it's a weak password, you can also crack it locally.
All right. I'm going to spoil the rest of my talk here.
So I'm going to tell you everything that we want you to walk away from this talk.
So on paper, peep should work. As long as everything is perfectly configured, peep should
work. If all the devices validate the certificate, everything is going to be okay. But that doesn't
actually happen in real world deployments. Even when you have a multimillion dollar company
with a huge and really expensive and really fancy mobile device management system or
MDM, those networks still have the same issue. And we know that because we've worked
with those organizations. And we found this issue. And so this isn't something that you
can say just flat out that, you know, it's going to always be okay if you can figure
out everything properly. But it's a matter of security and a matter of security. And it's a matter of security and a matter of security and I'm going to tell you a little about that right now. So, what I'm going to do is I'm going to go back to this basic evidence here. And I'm going to circulate. So what we're going to do is we're going to move this data to the
And we'll talk more about why that is a little bit later as well.
The impact is absolutely staggering if you take a look at who could potentially be affected.
The organizations that use BYOD are growing.
The number of organizations that use BYOD are growing.
And over the next few years it's expected that we're going to get closer and closer
to 80, 90% acceptance.
And that means that by default we're going to see the use of WPA2 enterprise increase
as security becomes more of a concern with mobile devices and as mobile devices need
more access to internal network assets.
And that's something that we're seeing with the development of more mobile applications
that integrate with more what used to be traditionally only internal or non‑mobile internal assets
and services.
If you support one of these networks, first of all, I did come prepared.
I have two motion sickness bags for you if you need to come up and get one.
So they're right here.
So the impact is enormous.
And there is no corrective action that's going to fix this really easily.
But we need to start working on it immediately.
We'll have some ideas as we start to wrap up near the end here on what you can do to
actually fix this issue if you are in the position of, yeah, needing one of those.
The key thing.
The key thing that damages the assertion that PEEP can work if it's configured properly
is the fact that any PEEP network, the users are in complete control.
And that's because all I need to know is my username and password to get a mobile
device on the network.
And I don't know about you, but if I was running the wireless network for an organization that
had 10, 20, 30,000 users, I'm not going to trust all of them to know how to configure
the devices right.
And even if I configure their devices right first, I'm not going to trust all of them.
Nothing stops them from bringing on their own mobile device because they know how to
connect because it's just their username and password.
So here's the bottom line.
Again, if I'm in the bags up here.
On defense, this is bad news.
We'll go through some things that you can do to make this a little bit better, but it's
going to take a while for this to be fixed and for these issues to go away.
Fuckin' A right, Lefroy, now that is rockin'.
What's this called?
Shot the noob.
Shot the noob.
Thank you very much.
Why are we doing it?
First time speaker.
Who do we need on stage?
Someone who is first time at DEF CON.
This guy over here.
Thank you.
Yeah.
So good question, only the second person who is asked that, so are the speaker goons
doing a shot in every track for every new speaker?
Answer is yes.
.
How many is that during this DEF CON?
We have way freaking lost count.
There is no chance we know that number.
Think about it this way.
Wait.
We're almost ready.
It's 4 to 6 an hour since 10 a.m. every day.
We're here for you.
Right.
All right.
To our new speaker and our new attendee.
.
All right.
Now, if you happen to be on the other side of the fence, you should be really happy.
And I know at DEF CON this is appropriate crowd to share both of those images.
The barrier to entry to gain local access to a wireless network has been drastically
reduced.
And remote access to services that use the active directory credentials that are exposed
to the Internet is also reduced.
And you don't really need that much equipment to do that.
Now, there are some people who disagree.
And this dates back to right after Moxie's talk last year.
And some of the things that you'll find, there's lots of follow‑up after Moxie's talk last
year.
Mainly about the VPN issue.
But also about WPA2 enterprise with peep.
There's a lot of response from technical writers and people interested in security.
And some of it is absolutely right.
But some of it I tend to disagree with as well.
So like I said earlier, it is completely true that a perfectly configured peep deployment
is going to be just fine.
But that never happens in reality.
And so what we're going to see is that we're going to rely on the same people who did the
same follow‑up last year.
After Moxie.
To hopefully help come up with better deployment guides and configuration guides.
Because we typically still see these issues in pen tests with mobile devices.
Where some features that exist within mobile platforms aren't being used.
A good example that comes to mind is IOS profiles that can be installed on phones and makes
it really easy to deploy things ‑‑ deploy configurations including WPA2 enterprise configurations.
So that's one of the things that we're going to rely on the people.
Who a year ago were saying this isn't a problem to then turn around and say hopefully, well,
okay, this is a problem.
Let's figure out some more solutions on how to fix it easier.
So let's talk about some of the risks.
These are broad generalizations just to kind of give you a decent overview.
Of course, it drastically differs in site‑to‑site and organization‑to‑organization.
But typically we find that individual users, the chances of you being targeted and the
chances of you really caring that much if your work email is compromised.
You know, at some point, especially if it's a device that your employer handed to you,
you can fairly say, hey, that's not my problem.
I didn't configure it.
So the user experience varies.
And in the type of attack that we're going to talk about in a few minutes, you'll kind
of see why that is.
Of course, there are certain attack methodologies you could use to try to target really high‑profile
users.
So let's say, for example, that you knew that a few CEOs from a group of companies
were going to be in a certain location.
The attack that we're going to demonstrate and talk about shortly will be a lot easier
and a lot more impactful.
The smaller the organization, I'm talking about smaller both in size and in IT resources,
will also tend to have a ‑‑ excuse me ‑‑ smaller in numbers of people, not resources.
Smaller number of people will likely have lower risk.
And that's primarily because you have fewer devices that you need to actually configure.
If you're a mom‑and‑pop shop.
Yeah.
You probably have your hands on every single one of those devices every day and probably
make physical contact with every single person that carries one of those devices.
So it's probably going to be pretty easy to manage.
The twist to that, though, is that once you get into small and medium‑size, like, full‑grown
businesses, but they lack those IT resources to come up with a full‑fledged MDM solution,
we see that they're much more likely to be vulnerable.
If you have a user base that doesn't change very much, then you're going to have an easier
time configuring and managing those devices, regardless of your MDM solution or if you
have one or not.
Of course, the higher risks are to the internal network assets that exist within the network
that can then be compromised with those credentials.
Large organizations with more users, of course, have more users that are likely to have misconfigurations.
And I'll share some metrics from my testing experience a little bit later.
Of course.
the more phones and devices you have coming in and out, the more likely you are to make
mistakes. And this misconfiguration is everywhere. And one of the things I wanted to point out
is a public example that we can share. I'm not going to call out any individual universities
or public education institutions, but you can do that yourself. It's really easy. Because
those types of organizations have to support so many users and their IT help desk staff
is typically just swamped regardless of trying to manage WPA2 enterprise, they tend to put
all of their instructions for accessing the wireless network online, which private companies
tend not to do. But if you can see their wikis, like if you guys go back to your employer
and you want to check to see what the likelihood of your organization being vulnerable to this
type of attack is, then check your internal wiki or documentation that tells you how
to configure your mobile devices if you have a BYOD policy at your employer. And if you
don't, that will tell you pretty quickly whether or not you're going to have an issue.
And we'll show you what that looks like. So this is taken from one of the universities
in that search result. And typically what we find is that the instructions are super
old. Really old versions of Android, Blackberry, the Windows phone before Windows phone, Windows
mobile is on there too often. And what we see as well is that either the user is explicitly
told not to install a service.
Or they don't say anything about the certificate and just put up a screen shot like this. And
so that's the configuration that I need. That's the configuration that I'm going to go with.
And we still even see that for Windows as well. Where even today, even after Brad and
Josh's talk in 2008, we still see publicly available information from the authority for
a network telling users not to validate the certificate. You see that in the other settings,
the comment at the bottom there. So that's pretty scary. So we have a lot of catching
up to do even from 2008. But now we have to catch up even faster because BYOD is growing
so much. So why PEEP? Well, this shows a little
bit of it. So PEEP and EAP TLS, EAP TLS, by the way, requiring mutual certificate authentication,
so the authentication server presents the certificate.
user validates that, hopefully, and then sends their own certificate back. So it's not actually
using AD creds. EAP TLS and PEEP are the two most widely supported EAP types across mobile
device platforms and in general as well for desktop operating systems. It used to be that
the Wi‑Fi alliance required support for EAP TLS if you were going to be WPA2 enterprise
certified. That's no longer true. I think that changed back in 2005 or 2006. I wasn't
quite able to get an exact date on that. But what you see is that PEEP is the most widely
supported across mobile devices. And so if your goal is to just support as many devices
as you can, truly be a BYOD organization, then PEEP is a very attractive option. It's
also much easier to configure. Because I don't know about you, but I know that my mom
doesn't know how to do that. I don't know about you, but I know that my mom doesn't
know how to actually download and install a client certificate. I mean, it's hard enough
trying to tell her how to find a PDF that she downloaded on her mobile operating system.
That can be pretty tricky. And then trying to actually go ahead and manage a certificate
and then get that on the device securely, especially for device platforms that don't
support MDM solutions or that don't have a robust integration with them, that can be
troublesome. There are many other EAP types, but the ones that you see on the screen are
the ones that are the most popular. So if you're looking for something that's really,
really easy to use, these are the ones that are supported by those devices, or not.
So really quick, just for a few people who might not be really familiar with WPA2 enterprise
and the difference between why we use that versus a pre-shared key like with WPA2 or
open, we'll just talk about this briefly. So it's all about access control granularity.
In an open network, it's open. We get that. With WPA2, you just need one shared key,
the passphrase. And everybody knows it. And that's great for, like, your family network.
And what you go home to. But as an organization grows and you get, like, 100, 200, thousands
of users, it gets pretty bulky and cumbersome. Because what ends up happening is, unlike
WPA2 enterprise, where each individual user has a user name and password or some other
credential that associates that device to that user, when we actually have a compromise
of those credentials, or let's say it's not even a compromise but somebody leaves an organization
and we don't want them to know the password, it becomes an issue.
Because in WPA2, what you have to do is actually change the password of the Wi‑Fi network
and then change that setting on every single one of your wireless devices. And that does
not scale well. And that's why WPA2 enterprise is used so widely in large organizations.
Because at that point, all you have to do is lock a single account and you're good.
So let's talk about where these issues actually lie. And this will kind of build up the path
to talking about the actual use case. So WPA2 enterprise is a large organization. They don't
exploitation methods and we'll get into those fun details. So 802.11 is pretty straightforward
as far as association to the access point. What's interesting here is there's a request
for the AD user name, request for the identity. The identity is then given back. That's actually
outside of directly speaking to the radio server as far as establishing a secure tunnel.
So regardless if whether or not you have a rogue or real access point, access point displaying
a rogue or real radio server, you can still get the user name of the person that's trying
to connect their device. That's something we've known for a really long time. It's just
fun to know. So outer authentication and this is what was broken by Brad and Josh with free
radio WP. So that identity goes to the radio server.
The radio server is an ID that goes to a radio server. This is what the identity of
server sends back a certificate, the client is supposed to validate that certificate.
But in order to do that, it has to have either that certificate pinned already or it has
to have a trusted root for the CA identified. And we'll get more into that later. But that
establishes the secure tunnel. And then inside of that secure tunnel is where Moxie comes
in. So now that that secure tunnel has been established, there's an access challenge that
comes from the radius server to the mobile device. And then a challenge response that
goes back from the mobile device to the radius server. That's the part where if you can get
a mobile device to connect to you, even with an invalid certificate, the fact that you
can capture those challenging responses means that you can then reverse that using Moxie's
tools and research. We're going to go to the mobile platforms and talk about how they
differ. Because what's really interesting in doing this research,
and in the live testing with organizations, is that none of the mobile device platforms
are perfect. Some are better in some areas. Some are worse in some areas. It's just a
really diverse set of support and features for WPA2 enterprise. One thing I want to note
here is that just remember that I'm not saying that one platform is more secure than the other
overall. We're specifically just talking about WPA2 enterprise. We're going to take a look
at the four major, I guess, features of WPA2 enterprise. We're going to take a look at the four major, I guess, features of WPA2 enterprise. We're going to take a look at the four major, I guess,
features of WPA2 enterprise. We're going to take a look at the four major, I guess, features of WPA2 enterprise. We're going to take a look at the four major, I guess, features of WPA2 enterprise. We're going to take a look at the four major, I guess, features of WPA2 enterprise. We're going to take a look at the four major, I guess, features of WPA2 enterprise. We're going to take a look at the four major, I guess, features of WPA2 enterprise. We're going to take a look at the four major, I guess, features of WPA2 enterprise. We're going to take a look at the four major, I guess, features of WPA2 enterprise. We're going to take a look at the four major, I guess, features of WPA2 enterprise. We're going to take a look at the four major, I guess, features of WPA2 enterprise. We're going to take a look at the four major, I guess, features
different environments. iOS and Android from the organizations I've worked with are probably
about 50, 50, 60, 40, somewhere in there. So Android supports the types that you see
up there. What's interesting about the user interface for configuring WPA2 enterprise
is that it's reused between EAP TLS and EAP PEEP and all the other EAP types. So it made
it really easy for the developers and to some extent to the users because nothing is going
to move around. But people actually tend to start to ignore the certificate configuration
part if they don't ‑‑ if they're not explicitly told what they need to do with
it. So you can see that I'm configuring my device here. Following the instructions that
we found on the college's website. By default, if I click on the CA certificate, there's
nothing available to me. So I'm going to click on the CA certificate and I'm going to click
on available to me. And that's both good and bad. It's good because public CAs can
be used, but there are some drawbacks to using public CAs for authenticating the RADIUS server.
The reason that that can be a challenge is because mobile devices don't actually validate
the CN name of the certificate. And so let's say that ‑‑ let's say that you use Trustwave
for your ‑‑ or VeriSign for your certificate. That means that all of your mobile devices
are going to have that root CA as the trusted CA for your wireless network. All I really
need then is a certificate from one of those public CAs and they're public. So I'm going
to spend 100 bucks, 150 bucks, something like that. And then I can then potentially get
your devices to connect to me and I'll pass that validation. So it's good and it's bad.
This prevents you from selecting a whole bunch of different public CAs by default. But it
also doesn't prompt you or anything to ‑‑ you know, you're going to have to go through
a lot of different ways to communicate with the RADIUS server and actually see what the
certificate is or to install one that is available externally.
Inside of the Phase 2 authentication, you actually see that there's a whole bunch of
different options there as well. That also leads to some misconfigurations that are outside
the scope of what we're talking about here. But let's just say that when you're doing
testing and Android devices are misconfigured, you can see some really silly things coming
over the network. On to iOS.
IOS has a relatively very strong business presence. Part of that from the feedback
I received comes from their configurability, especially with those IOS profiles that can
be pushed out to the devices. The PEEP configuration is straightforward. You enter your user name
and password. It actually prompts you to validate the certificate. It's a trust on first use
approach. So the user is actually shown a certificate. It says not verified if it's
not in one of the installed CAs.
within the operating system. And before you accept it, you can actually take a look at
the details. And this way you can see whether it's the default certs that come with free
radius WPE or if it's actually the certificate that you're expecting from your organization.
Now users really are terrible at figuring that out, but oftentimes if the organization
says example link and you're expecting that it's going to be your business' certificate,
hopefully that's going to raise a flag. BlackBerry. And I do apologize for the screenshots.
It's not easy to get a screen capture out of an old BlackBerry. So BlackBerry actually
has a lot of different types that they support. They have the most of any of the mobile platforms.
Not all types are created equal, though, and only a handful of them remain secure. And
if you want more information on that, Josh and Brad's research, they have a lot of information
that goes into a lot of the details there. So this is both good and bad. There's wide
support on the platform for just about every type that you can find in a mobile environment.
But again, some of those are not that great to use. The peep configuration is nice in
that if you see the blue bar at the bottom, you actually have to explicitly disable certificate
validation if that's what you want it to do. By default, BlackBerry requires you to validate
the certificate. You can't complete that configuration until you've either disabled
it or given it a CA. But this one, BlackBerry, has all the public CAs available. Again, it's
both good and bad. It depends on your risk profile and things like that. Windows Phone
8. Doesn't have a very large business presence right now, but seeing that it comes from such
an old company, it's a good thing. It's a good thing. It's a good thing. It's a good
thing. It's a well‑known vendor and manufacturer. It's something that is worth talking about.
The peep configuration is similar to IOS at the start where it's just a very simple user
interface, username and password. But you'll notice that the validate server certificate
option is at the very bottom and it's off by default. And so that's something that makes
it pretty easy to accidentally just click through without installing the certificate.
In fact, you don't even see a certificate prompt.
You're in a place where you can actually enter a certificate until you turn that on.
The certificates that are available on Windows Phone 8 are actually kind of interesting.
There's a very small number, which is good, because the fewer CAs that you trust, the
better. But they actually ‑‑ and this has nothing to do with the security of the
platform, but I did find it interesting that there are actually two expired certificates
that it ships with. It was just odd, a strange finding. All right. So you understand now
the different platform support for WPA2 enterprise. You see that peep is the most widely supported.
And oh, yeah, just want to mention again that you saw on the table that Windows Phone 8
only supports peep. Not TLS, no other EAP types.
So now that we've gone through all the different mobile platforms and you understand that it
‑‑ that the user experience varies and that's one of the reasons why it's so difficult
to write instructions for your users to follow. Like if you're at a university or a large
organization, for example. So the chances for misconfiguration are pretty high.
Let's take a look at how we attack then. That's the fun part. When I'm telling you about these
things in the traditional network attacks here, we're going to be using some anonymized
data about some real life attacks that we're able to do. As we get into the more exotic
and fun attacks, there will be some hypothesized things based on some other fun stuff.
So in a traditional attack, it's a regular road. It's a regular road. It's a regular
access point. All you need is a laptop really. In my setup up here, we'll talk about that
later, but I'm actually using a regular router and another Wi‑Fi card and antenna. That's
mainly because I expected a lot more pushback from the audience and the hostility of the
wireless network here. But it turns out we might not actually run into any problems there.
So with a ‑‑ what's that? Now since I said that, yeah, I see all the laptops coming
on.
Actually, that would be good for me. I would really like that right now. Actually, in
about a few more minutes. So with a traditional attack, it's just like trying to capture something
on an open Wi‑Fi network with a pineapple or something like that. The best way to perform
one of these attacks is to broadcast as an access point connected to a RADIUS server.
The de facto standard is free RADIUS WP right now, although we'll talk about more tools
that can actually do that as well. I'll broadcast the SSID. I'm going to go ahead and show you
the network name of company X. And the best way to do this attack is actually not to be
on‑site at company X. What you want to do is go to some place where you're going to
find their employees and users, but away from their wireless networks. And that's for multiple
reasons. First, it makes it a lot easier to actually get them to associate with you.
Because then you're not fighting the broadcast and the power of the other, like, the real
access points. Sure, you can de‑off, but then that makes it ‑‑ that makes it a
lot more of a headache. Additionally, testing away from buildings and away from the real
network reduces the likelihood that you're going to be caught. A lot of wireless systems
now actually come with features where you can triangulate the location of rogue access
points. And so if you're camped out in a parking lot and you're a little too close,
there's a good chance that physical security might come knocking on your door. I can tell
you from experience, though, that having your daughter in the back seat holding the router
makes it a lot less likely that anyone from physical security might come knocking on your
door. So story time. So an example that I can tell you about is an organization with
about 1500 users. They didn't have their own building or anything like that. They were
on a multi‑level building on one of the floors. Their access points were weak enough
where you couldn't really get reception outside of the building, though. So a great way to
perform an attack like this is actually to sit out if there's a park or a lobby out front.
If you can find any choke point, an entryway, an exit, that's great. I was able to sit
down in the lobby and actually get everyone on their way in and out as they're going to
the elevator or the stairs. And so that was pretty easy. There's one single choke point.
Now that type of organization would be pretty difficult to target out in the general population.
I'm saying that because I'm going to lead up to some of the more fanciful attacks that
are coming next. When you have a much larger organization, though, for about a thousand
or more, you know, some of the organizations that come to mind can even be in the tens
and maybe even hundreds of thousands of people, you're much more likely to run across those
users other places, just out in the general public. For organizations that have their
own campus, one of the best ways to pull off this attack is actually to sit at the
edge of the parking lot, especially if there's a major freeway there or a stop light or anything
like that where they're queuing up to actually come into the parking lot. One of my favorite
experiences was doing a test like this on the edge of a campus. And there was a lot
of people that rode their bicycles to work. And as I'm sitting there monitoring the tools
and you actually see who's trying to access your access point and talk to the radio server,
and you just all of a sudden see all this traffic go by and it drops off as they ride
by. And so that was pretty fun. So finding a choke point and a physical presence is great.
But these traditional attacks are well known. They're well established. Everyone can do
this. The trouble is what if you're not there? What if you want to be able to compromise
somebody's Active Directory creds from their mobile devices and you can't get access to
where they actually work? Well, you have to go find them somewhere else. And that's
where the more interesting attacks come up.
So for multiple networks, what if I didn't just want to get into my bank's network? What
if I wanted to get into any or all banks' networks? Can't do that traditional attack.
I mean, I could, but I'd have to sit in one place, broadcast one network name, one SSID
for a long time, wait, stop, do it again. It's going to take a long time. So what if
we did something like create a tool that would actually let us rotate the SSIDs on a predetermined
basis? What that would let us do is actually hop in the car and do like word
driving 3.0, which is where you're not actually targeting access points. You are the access
point and you're targeting mobile device users. So I'm going to use San Francisco, which is
where our headquarters is as an example. So if I wanted to target banks, what I would
do is hop in my car with my list of SSIDs matched to a whole bunch of banks or any other
organization that would be around there, and all I have to do is drive around the financial
district at lunchtime.
Chances are I'm going to find a bunch of people who are out to lunch, away from the
organization, away from their Wi‑Fi networks, and that means it's going to be very easy
for them to connect to my access point. And the only catch is that we have to make sure
that we're rotating SSID frequently enough in order to make it effective.
So if you think about that, you can actually curate this list by industry or even by geographical
location. In that example, we did both.
You can get some really awesome extra credit if you do it on public transit as well. Public
transit is fantastic, especially in the Bay Area, because you have a lot of tech companies
that use services like BART and Caltrain. So public service ‑‑ public transportation
services can be a really good hunting area. And then finally, what if we just don't care?
I just want to get on some network. I want AD creds. I just think it's fun. Well, we
can do that, too.
That just means that instead of having a predetermined curated list, it means that
we're going to dynamically change the list. And we can do that by listening for probe requests,
for beacons, and also by going a little bit further and using some outside tools.
So let's talk about that. The existing tools that we have, Free Radius
WP, which you heard me talk about, that's just a radius server that's been modified
to shoot out the ‑‑ to be able to do that. So we're going to talk about that.
The MSCHAP v2 challenge and response, instead of keeping it secret. That's pretty fun.
There's host APD and host APD WPE. Brad actually did host APD WPE for testing EAP fast, which
you should probably look into if you want to support that.
There's also DD Wirt and Open Wirt, which you can easily script. And one of the things
that I haven't done yet, but I'd really like to look at, is patching the Free Radius tool,
that's a very powerful tool. It's a very powerful tool. It's a very powerful tool. It's a very
powerful tool. It's available for Open Wirt with Free Radius WP. That would be pretty
cool because you could just have a stand‑alone low‑power router that you just drop somewhere
and let it go. So the goal of this tool is just to give
every single network peep. Just give it to everyone. So what's next for that tool? Well,
you can script the rotation of SSIDs in DD Wirt and Open Wirt. And that can get kind
of cumbersome and annoying because you have to listen for them, you have to build the
list and you have to get them on to the Wirt somehow. Now, you can probably do that within
the Wirt. I haven't got that far yet. There's a tool called host APD Python script, which
allows you to control host APD from within Python, which also means that you can use
SCAPI to listen for all those probes and the beacons and then dynamically add those
to your list. Host APD Carba as well? All right. That's
fantastic. That just made things easier. So host APD Carba. All right. So getting fancy,
what else can we do? We could use GPS, potentially. Haven't done that yet, but if you can give
it coordinates and you can query a resource saying, hey, I want every WPA2 enterprise
SSID within ten miles of where I am, you can go anywhere in the world and potentially
exploit a whole bunch of networks that you don't even know exist. And then you can just
do the research and figure out where they are and what networks you got into.
So the goal is eventually to get this into a single tool. My colleague Ryan Lacy and
I have been working on this for a little bit. It's difficult. It's not easy at all. There's
a group called ‑‑ there's a tool called EA Peak that was presented at one of the Black
Hats in 2011, I believe, that got pretty far along that path, but I think that they took
a different approach later on. But it's not easy, but we're getting there. Hopefully eventually
we'll be able to release a full single tool that will actually do all this in one install.
We're not quite there yet. We will be sharing some of the tools that we've used to build
up to that, including the logic that we've been using to build those dynamic SSIDs.
So how do we fix this? You can't just turn off your Internet. And I bring that up because
‑‑ well, it actually happened here, which reminds me of a place that we did this
at once. We were working with an organization where there was a peep network. And after
working with them, we realized, hey, we can't support this. Rolled out an ETP network with
a different name. And you can probably see where the problem is. Because you can exploit
this even without the network. So five, six months later, you can go back, potentially,
and broadcast as that old network name if you happen to know it and still communicate
with the devices. And if they don't rotate their credentials regularly and if they don't
have high device turnover, there's a real problem. If they don't have high device turnover,
there's a really good chance that you're still going to find somebody who is misconfigured,
even though the network doesn't exist, which is kind of creepy. So really, EAP TLS, it's
difficult to support and difficult to roll out, but it leads to more security. We also
need better mobile device management. So quick comparison. EAP TLS is nearly universal as
is peep. The difference is that peep is easy. EAP doesn't.
EAP TLS is hard. Let's take a look at why. I'm running out of time and I want to get
to the demo. So doing peep right takes a lot of work. We talked about a perfect storm.
To do peep right, you have to do so much work that hopefully, and this is what I hope
you experience for those of you who are on the defensive side of this, in order to do
peep right, you have to do so much work that it's probably going to still be easier to
deploy EAP TLS. Because in the end, remember, even if you perfectly configure your network,
that one user or ten users that want to add their own device still know their username
and password. And your MDM solution isn't going to touch that, especially if they misconfigure
it so badly that they don't even bring it to work anymore and it's just sitting in their
car and you can still pick it up while you're driving 3.0 all the way around.
So DEF CON secure. I'm hoping some of you didn't install a certificate. Those of you
using IOS probably are going to be more okay. Right now we're going to go ahead and get
the demo. We have four minutes for that. Last warning, I'm asking all of you to be
victims. This is not going to hurt, I promise. I will not crack your passwords. I don't
really think your DEF CON secure password is worth a hundred bucks or the time and energy
it would take for me to do it on my own. No man in the middle is going to be conducted.
So like I don't have ‑‑ I'm not connected to the internet. I'm not connected to the
internet here. So I can't even provide you a service even if I wanted to. So you're going
to be all set there. And, yeah, we'll see what happens. So last chance, if you don't
want to participate, please turn your phones off, mobile devices, hit your Wi‑Fi switch
on your laptop. But otherwise, please, it's the end of DEF CON and this would be kind
of fun if I got like 40 of you. So turn your phones on, please, and participate. And let's
go ahead and get into that.
By the way, that's everyone probing for DEF CON secure right now. So this might actually
work. And I was going to need deauth, but I don't think I need to anymore. Now, we got
to make sure that I'm actually on the right IP address. Yep, should be. All right. So
let's see what happens. Does anyone picking up DEF CON secure now? No? Okay. It might
take a second here. I got to turn my Wi‑Fi back on. Okay. It's still booting up. All
right.
Should be coming up. Oh, wow. Yeah. Okay. Some of you are hitting it. All right. Now,
let's see if I can show you ‑‑ not there yet. So one of the problems is that even if
you don't ‑‑ even if you do validate the certificate, you're still talking to the
IP address. So a lot of you are talking to it and this little thing is falling apart.
But I do have a backup example I can show you. I'm connecting. All right. I just saw
my name go by. Oops. Sorry.
All right. So on the screen, what you see is the output every time somebody is trying
to connect to me. And when you see the big TLS blobs go by, that's when I get happy.
Really? That's awesome. That's a good name. You guys are validating your certificates.
All right. Okay. So let's go ahead and take a look at some of this.
So that was ‑‑ a Black Hat or a Black Hat?
Oh, a Black Hat? No. No, that was not me at Black Hat.
So are you doing an isolated search?
Yes, I am.
Well, that's disappointing. What's that? Yes, I'm in the right directory. Thanks, though.
No. Other way. At least in my experience. I've had it so that when the log is there,
it actually won't update the current log. All right. Well, I'm running out of time.
So what I'm going to do is I'm going to leave this on for another couple seconds, maybe
a minute or two, and hopefully get some more. We see all the EAP traffic going by. And I
can tell you, like, the name that we saw ‑‑ oh, somebody had strong feelings about Black Hat.
So what I can tell you is that I see, like, my name coming by and the EAP blobs. When you
saw that big blob there, that's the cert and that's the challenge and that's the EAP
message going back and forth.
We're getting it. It's just not logging. So there's too many of you. All right. So
I got to wrap up. But thank you. It's been a lot of fun.
